Hi
I just installed cflowd 2-1-b1 on a RedHat Linux 6.2 (kernel 2.2.14-5) and
compiled first the
arts++ 1.18 as required. The installation/making went smoothly in both
instances without
a single error beeing generated.
The problem is probably with the cflowdmux as I mentioned later since I
don't see it in listening state
using netstat -an. The cfdcollect and flowd also make zero size files and
although cfdcollect
says it's writing some data (reported in the syslog records, shown below)
it doesn't seem to
modify the file itself, (the time/date doesn't change at least), odd ? What
concerns me most is that
the Cisco says it's exporting but cflowd data directory only has 2 Mbytes
files containing nothing.
I'm running the cflowdmux/cflowd/cfdcollect on the same computer having the
IP-address 1.2.3.4 (not giving
the real address). I'm trying to collect from a single Cisco 3620 router
having the IP-address 5.6.7.8 (again not
giving the real address), which is configured to export to 1.2.3.4 on port
9992.
ip flow-aggregation cache source-prefix
cache entries 1024
cache timeout inactive 300
cache timeout active 5
export destination 1.2.3.4 9992
enabled
!
The source address of the packets are the same as for the previously
mentioned ethernet interface on the router, i.e. 5.6.7.8
I configured the cflowd.conf in the following way,
OPTIONS {
# syslog to local6 facility.
LOGFACILITY: local6
# Listen for connections from cfdcollect on port 2056.
TCPCOLLECTPORT: 2056
# Use a 2 megabyte packet buffer in shared memory.
PKTBUFSIZE: 2097152
# Use /usr/local/arts/etc/cflowdtable.socket as named stream socket
# for connections from local clients (cfdases et. al.)
TABLESOCKFILE: /usr/local/arts/etc/cflowdtable.socket
# Keep raw flow files in /usr/local/arts/data/cflowd/flows directory.
FLOWDIR: /usr/local/arts/data/cflowd/flows
# Each raw flow file should be 1000000 bytes in length.
FLOWFILELEN: 1000000
# Keep 10 raw flow files per router.
NUMFLOWFILES: 10
# Log total missed flows from a router if it exceeds 1000 between
# connections from cfdcollect.
MINLOGMISSED: 1000
}
COLLECTOR {
HOST: 1.2.3.4 # IP address of central collector
ADDRESSES: { 1.2.3.4, localhost, 127.0.0.1 }
AUTH: none
}
CISCOEXPORTER {
HOST: 5.6.7.8 # IP address of Cisco sending data.
ADDRESSES: { 5.6.7.8 } # Addresses of interfaces on Cisco
CFDATAPORT: 9992 # Port on which to listen for
data.
SNMPCOMM: 'public' # SNMP community name.
LOCALAS: 1324 # Local AS of Cisco sending data.
COLLECT: { protocol, portmatrix, ifmatrix, nexthop, netmatrix,
asmatrix, tos, flows }
}
I guess this is correctly configured, or it seems so too me.
When starting ./cflowdmux and ./cflowd, I get no errors and the .conf files
are kept in the
default /usr/local/arts/etc directory.
DEBUGGING:
1. Records in the syslog show no errors,
Jun 8 01:36:36 halflife cflowd[19204]: [I] cflowd (version cflowd-2-1-b1)
started.
Jun 8 01:36:36 halflife cflowd[19204]: [I] got semaphore: id 1
Jun 8 01:36:36 halflife cflowd[19204]: [I] attached to 2101248 byte packet
queue at 0x4027a000
Jun 8 01:36:38 halflife cflowdmux[19206]: [I] cflowdmux (version
cflowd-2-1-b1) started.
Jun 8 01:36:38 halflife cflowdmux[19206]: [I] created 2101248 byte packet
queue shmem segment {CflowdPacketQueue.cc:247}
Jun 8 01:36:38 halflife cflowdmux[19206]: [I] attached to 2101248 byte
packet queue at 0x40185000
Jun 8 01:36:38 halflife cflowdmux[19206]: [I] created semaphore: id 1
Jun 8 01:36:38 halflife cflowdmux[19206]: [I] set UDP recv queue to 261040
bytes for fd 4 (port 9992)
Jun 8 01:36:58 halflife cfdcollect[19208]: [I] cfdcollect (version
cflowd-2-1-b1) started with 1 cflowd instances.
Jun 8 01:36:59 halflife cfdcollect[19208]: [I] connected to localhost:2056
Jun 8 01:37:15 halflife cfdcollect[19208]: [I] localhost has data for 1
router.
Jun 8 01:37:15 halflife cfdcollect[19208]: [I] got data for router 5.6.7.8
from localhost
Jun 8 01:37:15 halflife cfdcollect[19208]: [I] wrote data for router
5.6.7.8
Jun 8 01:37:15 halflife cfdcollect[19208]: [I] sleeping for 283 seconds.
Jun 8 01:37:15 halflife cflowd[19209]: [I] sent data to 127.0.0.1:1038
Jun 8 01:36:38 halflife cflowdmux[19206]: [I] attached to 2101248 byte
packet queue at 0x40185000
Jun 8 01:36:38 halflife cflowdmux[19206]: [I] created semaphore: id 1
Jun 8 01:36:38 halflife cflowdmux[19206]: [I] set UDP recv queue to 261040
bytes for fd 4 (port 9992)
Jun 8 01:36:58 halflife cfdcollect[19208]: [I] cfdcollect (version
cflowd-2-1-b1) started with 1 cflowd instances.
Jun 8 01:36:59 halflife cfdcollect[19208]: [I] connected to localhost:2056
Jun 8 01:37:15 halflife cfdcollect[19208]: [I] localhost has data for 1
router.
Jun 8 01:37:15 halflife cfdcollect[19208]: [I] got data for router 5.6.7.8
from localhost
Jun 8 01:37:15 halflife cfdcollect[19208]: [I] wrote data for router
5.6.7.8
Jun 8 01:37:15 halflife cfdcollect[19208]: [I] sleeping for 283 seconds.
Jun 8 01:37:15 halflife cflowd[19209]: [I] sent data to 127.0.0.1:1038
2. output of netstat -an (NOTE: udp port 9992 is not in listening state as
it should be)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:2056 127.0.0.1:1042
TIME_WAIT
tcp 0 0 0.0.0.0:2056 0.0.0.0:* LISTEN
tcp 0 138 1.2.3.4:23 x.x.x.x:50687 ESTABLISHED
tcp 0 0 1.2.3.4:23 x.x.x.x:43888 ESTABLISHED
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:955 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2600 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:9992 0.0.0.0:*
udp 0 0 0.0.0.0:953 0.0.0.0:*
udp 0 0 0.0.0.0:1024 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 0 [ ACC ] STREAM LISTENING 621
/var/lib/mysql/mysql.sock
unix 0 [ ACC ] STREAM LISTENING 13447
/usr/local/arts/etc/cflowdtable.socket
unix 1 [ ] STREAM CONNECTED 709 @0000002c
unix 0 [ ACC ] STREAM LISTENING 517 /dev/printer
unix 1 [ ] STREAM CONNECTED 696 @00000029
unix 1 [ ] STREAM CONNECTED 700 @0000002a
unix 10 [ ] DGRAM 428 /dev/log
unix 0 [ ACC ] STREAM LISTENING 584 /dev/gpmctl
unix 0 [ ACC ] STREAM LISTENING 684 /tmp/.X11-unix/X0
unix 0 [ ACC ] STREAM LISTENING 641
/tmp/.font-unix/fs-1
unix 0 [ ] STREAM CONNECTED 164 @00000015
unix 0 [ ] DGRAM 13453
unix 0 [ ] DGRAM 13450
unix 0 [ ] DGRAM 13446
unix 0 [ ] DGRAM 958
unix 1 [ ] STREAM CONNECTED 710 /tmp/.X11-unix/X0
unix 1 [ ] STREAM CONNECTED 701
/tmp/.font-unix/fs-1
unix 1 [ ] STREAM CONNECTED 702 /tmp/.X11-unix/X0
unix 0 [ ] DGRAM 644
unix 0 [ ] DGRAM 586
unix 0 [ ] DGRAM 561
unix 0 [ ] DGRAM 509
unix 0 [ ] DGRAM 452
unix 0 [ ] DGRAM 438
Is cflowdmux not working properly here ?
Halldor Karl Hognason E.E.
Islandssimi hf.
Borgartun 30
105 Reykjavik
ICELAND
E-mail: halldor.hognason@islandssimi.is
Tel: +354 5955016
Mob: +354 820 5016
Fax: +354 5955050
-- cflowd mailing list cflowd@caida.org
This archive was generated by hypermail 2b29 : Thu Jun 07 2001 - 19:15:19 PDT